Hello,
I'm looking to build a HotSpot controller for hotel clients in France, complying with the GDPR standards in place here.
Could you tell me if OpenWrt would be a viable solution?
Thank you.
Sincerely,
not sure what you mean by hotspot, but yes it is viable.
https://openwrt.org/docs/guide-user/services/captive-portal/opennds
GDPR doesn't really have anything to do with the hotspot itself, but the info you require from the end user to gain internet access, and the session data you save ?
if you only have a "I confirm" button, log nothing, there's no GDPR data ?
1 Like
Excuse me,
Here the explication :
GDPR and Public WiFi in France
In France, when a business (hotel, café, restaurant, etc.) provides public WiFi, it must comply with the General Data Protection Regulation (GDPR). Here are the key requirements:
- User Consent
Users must accept the terms of use before accessing the Internet.
A captive portal page should display information about data collection and retention.
Users must be informed that they can request deletion of their data.
- Connection Logs Retention
Public WiFi providers must store connection logs (IP addresses, timestamps, MAC addresses, etc.) for one year, as required by law.
These logs must be securely stored and not accessible to unauthorized staff.
- Security and Liability Protection
The WiFi network must be protected against misuse (e.g., blocking illegal sites).
User authentication (tickets, email, SMS, social login) is recommended.
Businesses must ensure they are not held responsible for any illegal activity conducted via their WiFi.
- Recommended Technical Solutions
OpenNDS (formerly Nodogsplash): lightweight and OpenWrt-compatible.
CoovaChilli: works with FreeRADIUS for advanced management.
pfsense / OPNsense: powerful firewall and captive portal.
Cloud solutions (Tanaza, Wavertech, etc.): easier to manage but require a subscription.
Choosing a GDPR-compliant captive portal is essential for secure and legal public WiFi management.
By default OpenWrt doesn't store any data about the clients (apart from the DHCP lease/ MAC address, for up to 12 hours past its use, you can extend or shorten this value (values under 0.5-1 hours are not recommended)). In this default state there is nothing to consider in terms of GPDR.
If you want to set up a captive portal (e.g. via opnnds), you can certainly do so - the configuration for that (and what kind of data you gather) is all up to you, as is making sure that your configuration choices meet legal requirements.
2 Likes
Those two seem to clash ?
Thank you for this answer and question. I didn't know how to answer and explain so I asked an AI. Here is the answer. :
Thanks a lot.
Yes, at first glance, these two points may seem contradictory, but they actually address different aspects of data protection and legal compliance.
-
User Data Rights (GDPR): Under the GDPR, users have the right to request the deletion of their personal data (e.g., name, email, phone number) if collected for authentication purposes. A business must comply with this request unless there is a legal obligation to retain the data.
-
Log Retention Obligation (French Law): Independent of GDPR, French law requires public WiFi providers to store connection logs (IP addresses, MAC addresses, timestamps) for one year. These logs are stored for law enforcement purposes and are not used for marketing or tracking users beyond security needs. Users cannot request deletion of these logs before the retention period expires, as it is a legal requirement.
In short:
Personal data (e.g., email) can be deleted upon user request.
Connection logs must be kept for one year by law, regardless of GDPR.
This is a common situation where GDPR coexists with national laws, which sometimes take precedence for legal and security reasons.
The question is: what info are you going to request from your users, before giving them internet access?
First, users cannot request "deletion" of their data, they can request "cancellation" of their data (and that is a completely different beast).
And second, whatever the users request, the legal obligations of the provider prevail over those requests.
1 Like